Ramnit sleeping malware targets UK financial sector

A dangerous variant of the Ramnit malware has been discovered targeting the UK's financial sector. Security firm Trusteer reported uncovering an evolved version of the Ramnit malware with advanced detection-dodging powers on Tuesday.
"Trusteer's security team recently analysed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam," said a Trusteer spokesman.
The malware reportedly avoids detection by going into an idle sleep mode until its intended victim logs into their online bank account, at which point it activates and presents them with a fraudulent phishing message.
"While the user is reading the message, Ramnit connects to its command and control server and obtains the details of a designated mule account," explained a Trusteer spokesman.
Once connected to the account the malware enters its final stage, presenting its victim with a second bogus message designed to dupe the user into entering a code that will let the malware bypass the system's final defence.
"This is followed by the initiation of a wire transfer to the money mule. But, there is still one more obstacle in the way of the malware – to complete the transaction a One Time Password (OTP) must be entered by the user. To overcome this requirement Ramnit displays [a second message]," said the spokesman.

"The temporary receiver number in the message is in fact the mule's account number. The user then receives the SMS and thinking that he must complete the "OTP service generation", enters their OTP. By entering the OTP, the user unknowingly enables the malware to complete the fraudulent transaction and finalise the payment to the mule account."
Trusteer said the malware's authors have moved to further hide the malware from its intended victims, by making it alter the bank's FAQ to make it seem as if the bogus messages are entirely legitimate.
"The new process Ramnit created may raise the suspicion of users who are accustomed to a specific workflow on their bank's website. Anticipating that some suspicious users may reference the bank's FAQ page, Ramnit authors took the extra step of altering the FAQ section to fit the new process," said the spokesman.
"By changing multiple entries in the FAQ section Ramnit demonstrates that its authors did not leave anything to chance – even if the victim decides to go the extra step, Ramnit is already there."
The Ramnit variant is one of many advanced attacks discovered this year. Prior to it Eset uncovered a malicious cyber campaign using a backdoor exploit in Apache web servers to herd web users to sites carrying Blackhole exploit packs.